Department of Homeland Security Daily Open Source Infrastructure Report

Wednesday, September 1, 2010

Complete DHS Daily Report for September 1, 2010

Daily Report

Top Stories

•After dealing a glancing blow to Puerto Rico and the Virgin Islands and knocking out power to 174,000 customers and water to 33,000 customers, Hurricane Earl is heading bout into the open Atlantic Ocean and forecasters warned the large, dangerous Category 4 storm packing winds of 135 mph could hit the Carolinas later this week. (See item1)

1. August 31, CNN – (International) Hurricane Earl could take aim at Carolinas by Friday. After dealing a glancing blow to Puerto Rico and the Virgin Islands, Hurricane Earl left 174,000 customers out of power and 33,000 lacked water. “We were quite fortunate because there was no direct hit in this case,” the governor of Puerto Rico told CNN. But, he said, the island experienced “lots of rain” and some high winds. Hurricane Earl is heading back out into the open Atlantic Ocean and forecasters warned the large and dangerous storm could have the Carolinas in its sights later this week. Earl quickly developed into a Category 4 storm August 30 packing winds of 135 mph. It also grew large, with hurricane-force winds stretching 70 milesfrom its center and tropical storm-force winds extending outward some 200 miles. Source:

•According to Bloomberg, two men being held by Dutch authorities after arriving on a flight from the United States are unlikely to have been planning a terrorist attack, two enforcement officials said. Dutch authorities had said the two men, of Yemeni descent, were being held because suspicious items were found in their luggage, including a mobile phone taped to a Pepto-Bismol bottle, other phones and watches strapped together, several knives, and at least one box-cutter.(See item 24)

24. August 31, Bloomberg – (International) Men held by Dutch said to be unlikely to plot attack. Two men being held by Dutch authorities after arriving on a flight from the United States are unlikely to have been planning a terrorist attack, two American law enforcement officials said. Dutch authorities earlier had said the two men, of Yemeni descent, were being held on possible involvement in preparing a terrorist act after arriving in Schipol Airport near Amsterdam August 30 on a flight from Chicago, Illinois. The U.S. residents didn’t know each other, according to law enforcement officials, who spoke on condition of anonymity because the investigation is continuing. There is no evidence to suggest terrorism, they said. One of the men’s checked bags aroused suspicion because it contained a mobile phone taped to a Pepto-Bismol bottle, and other phones and watches strapped together as well as several knives and at least one box-cutter, officials said. A failed attempt to blow up a U.S. airliner bound for Detroit December 25 originated in Amsterdam. On August 31, the Dutch national prosecutor, in a statement to reporters at Schipol, said the arrests of the two men took place based on information from U.S. authorities. “In a few days, it will be made public if they will be charged,” he said. He noted that mobiles phones found in the luggage were seized by U.S. authorities. Earlier, airport screeners in Birmingham, Alabama, had inspected checked baggage belonging one of the men, who was carrying $7,000 in cash, and found items taped together in various configurations, the law enforcement official said. When no explosives were found, the man was allowed to fly to Chicago, where he met the second man and boarded United Airlines Flight 908 to Amsterdam, the official said. The U.S. Department of Homeland Security released a statement saying that “suspicious items” found in the checked baggage “were not deemed to be dangerous in and of themselves.” While the man from Detroit headed to Amsterdam, the luggage containing the suspicious items was checked on to a flight to Dulles International Airport in Dulles, Virginia and then to Yemen, the law enforcement official said. Security employees ordered the Dulles-bound flight back to the gate in Chicago, and retrieved the luggage after finding that the passenger wasn’t on board, said another U.S. official who asked not to be named. Source:


Banking and Finance Sector

16. August 31, Elgin Courier-News – (Illinois) Phone scam uses credit union name as bait. A number of Elgin, Illinois residents have reported receiving an automated phone message over the past several days, which authorities have warned is nothing more than a scam. A city spokeswoman said police received more than 30 complaints over the weekend from people reporting to have received a recorded message from someone claiming to be a representative of the Elgin-based Kane County Teachers Credit Union, 111 S. Hawthorne St. The automated message states that there is a problem with an ATM card and directs the recipient to press “1” to be connected to a security department. The KCT Credit Union vice president of marketing said the financial institution is not responsible for, or connected with, the messages being sent. She urged anyone who receives such a call never to give out any personal information, but instead contact a credit union branch directly for more information. Source:,3_1_EL31_04CALLS_S1-100831.article

17. August 31, Denver Post – (Colorado) ‘JV Bandit’ bank robber struck again Saturday, FBI says. A man suspected of being the FBI’s “JV Bandit” robbed the Chase Bank at 3850 North Wadsworth Blvd. in Wheat Ridge, Colorado, August 28, the agency said August 30. He is suspected of robbing the same bank August 11. The JV Bandit, so called because he often wears sportswear during robberies, is suspected in at least four other bank robberies in the metro area since October 2008. He is also a suspect in the robbery of the 1st Bank at 4350 North Wadsworth Blvd. in Wheat Ridge July 13. The other three robberies were in 2008: the Chase Bank at 14417 West Colfax Ave. in Lakewood, the Key Bank at 1222 Arapahoe St. in Golden and the U.S. Bank at 1801 Jackson St. in Golden, the FBI stated. Source:

18. August 30, Krebs on Security – (Iowa) Crooks who stole $600,000 from Catholic diocese said money was for clergy sex abuse victims. Organized cyber thieves stole more than $600,000 from the Catholic Diocese of Des Moines, Iowa earlier in August. The funds were spirited away with the help of dozens of unwitting co-conspirators hired through work-at-home job scams, at least one of whom was told the money was being distributed to victims of the Catholic Church sex abuse scandals, has learned. In a statement released recently, the diocese said the fraud occurred between August 13 and August 16, apparently after criminals had stolen the diocese’s online banking credentials. The diocese was alerted to the fraud August 17 by its financial institution, Bankers Trust of Des Moines. The diocese also said the FBI and U.S. Treasury Department were notified, and that the FBI had taken possession of several diocesan computers. To date, roughly $180,000 has been recovered. The diocese added that law enforcement had advised them that the theft seems to have been the work of a highly sophisticated operation based overseas, which moved the stolen money out of the United States by recruiting people who unknowingly acted as intermediaries. Source:

19. August 30, Palm Beach Post – (Florida) Police warn Jupiter businesses of phone scam trying to steal credit card numbers. Police August 30 issued a warning about a scam artist who is calling Jupiter, Florida businesses pretending to be a police officer in order to extract customers’ credit card information from intimidated employees. Authorities said the scammer calls up and claims he or she is either from the West Palm Beach Police Department or the FBI, then claims to need a list of the business’ customers and credit card numbers as part of a fraud investigation. In at least one of the cases, the scammer has threatened to execute a search warrant on the business if the employee did not cooperate. A Jupiter police sergeant advised business owners and employees never to give out sensitive financial information over the phone. “We don’t seek out that information over the phone, even if we were conducting an investigation,” he said. “If someone says they’re an officer investigating something, tell them you’d be happy to cooperate but have them come in.” Source:

20. August 27, Reuters – (International) U.S. seeks extradition of Caribbean Ponzi schemer. U.S. authorities want to extradite from the Turks and Caicos Islands a Jamaican banker accused of running a Ponzi scheme that bilked investors out of nearly $300 million in one of the Caribbean’s biggest financial fraud cases, a law enforcement official said August 27. U.S. prosecutors have filed criminal charges against a suspect who is currently under investigation but on bail in the Turks and Caicos, a British overseas territory. The suspect faces fraud, money laundering and other charges in the Turks and Caicos, said the the deputy senior investigator of the Turks and Caicos special investigation and prosecution team. “It’s alleged that he’s run a Ponzi scheme to the tune of about $300 million,” the special investigator told Reuters. In a court filing earlier in August in Orlando, Florida, U.S. prosecutors said the suspect defrauded thousands of investors from the United States, Jamaica and other Caribbean territories, promising his investments in foreign currency trading would yield monthly average returns of 10 percent. Among the affected were investors in Florida, which has been hit by a number of high-profile Ponzi schemes in recent years, including fallout from the massive fraud scandals surrounding a convicted Wall Street swindler, and an accused Texas financier. Source:

Information Technology

52. August 31, Computerworld – (International) Google disputes bug patching report. Google August 30 said that a recent report claiming it failed to patch a third of the serious bugs in its software had the facts wrong. IBM’s X-Force security company, which released the report last week, acknowledged the error and issued a revised chart that shows Google patched all the vulnerabilities rated “critical” or “high” in its online services. “We questioned a number of surprising findings concerning Google’s vulnerability rate and response record, and after discussions with IBM, we discovered a number of errors that had important implications for the report’s conclusions,” said a security program manager at Google in an entry on a company blog. Recently, X-Force’s report claimed that 9 percent of all Google bugs disclosed in the first half of 2010 were unpatched, and 33 percent of the vulnerabilities ranked as critical or high had not been fixed. According to IBM’s revised tabulations, Google patched every vulnerability revealed in the first 6 months of this year. Source:

53. August 31, SC Magazine UK – (International) Badly configured networks believed to be the main cause of network breaches. Misconfigured networks account for more than three quarters of breaches. A survey found that a badly configured network is the main cause of network breaches because IT professionals “don’t know what to look for.” The survey, conducted by Tufin, also revealed that 18 percent of security experts believe misconfigured networks are the result of insufficient time or money for audits, while 14 percent felt that compliance audits that do not always capture security best practices are a factor. The CTO and co-founder of Tufin said: “The really big question coming out of the survey is how to manage the risk that organizations run dealing with the complexity that is part and parcel of any medium-to-large sized company’s security operations. Almost half of the respondents (43 percent) also claimed that planting a rogue member of staff inside a company was one of the most successful hacking methodologies. However, 58 percent of attendees said they did not believe outsourcing security to a third party increased the chances of getting hacked, and almost half the sample believe it would not increase the chances of any sort of security or compliance issue. Source:

54. August 31, – (International) Update scam targets TweetDeck users. Users of Twitter management app TweetDeck have been warned not to click on links that claim to be an update for the site but actually contain a Trojan program. The application is set for a genuine overhaul starting August 31 as part of an update to Twitter itself, and the scammers have used the situation to launch the malicious links. A member of the TweetDeck team explained in a blog post that users should ignore the updates. “We are seeing a number of updates on Twitter urging users to download a file called ‘tweetdeck-08302010-update.exe’ from a URL beginning with These tweets are from hacked accounts and this file does not come from us,” it read. The firm added that users should download updates to the application only from the TweetDeck Web site. TweetDeck also explained five of the most popular ways the fake updates arrive, including, “TweetDeck will work until tomorrow, update now!” and “Hurry up for tweetdeck update!”. The changes to Twitter August 31 causing apps such as TweetDeck to issue their own site updates center around the move to OAuth, an authentication method which allows users to use third party apps without them storing their passwords. Source:

55. August 31, SC Magazine UK – (International) Service provider of German chemist exposes personal details of around 150,000 customers. The details of around 150,000 customers of the German chemist chain Schlecker have been exposed. According to a report by The Local, the mistake was the fault of an external service provider, which has since been fixed and the data is no longer available online. The data included first and second names, addresses, genders, e-mail addresses and customer profiles, with a further 7.1 million e-mail addresses of customers receiving the firm’s newsletter also available. A spokesperson for Schlecker said account numbers and passwords were never vulnerable. An information-protection specialist who discovered the data online, said: “We stumbled on this data breach by accident. Then we realized: this is no data leak, this is a wide-open door. They (cyber criminals) would write to the customers in the name of Schlecker –- directly over the publicly available mail server. The customer would trust the correspondent, thinking, ‘Yes, it’s Schlecker.’ They would make purchases and hand over their bank details.” On August, 27 Schlecker offered its online customers a voucher to the value of 5 euros via e-mail, a company spokesman confirmed. It states that it is not a compensation payment but “a general goodwill gesture.” A spokesman for the firm confirmed media reports that the personal data of online customers had for an unspecified time found their way onto the Internet and were available to any Web user. Source:

56. August 30, The Register – (International) Apple QuickTime backdoor creates code-execution peril. A security researcher has unearthed a “bizarre” flaw in Apple’s QuickTime Player that can be exploited to remotely execute malicious code on Windows-based PCs, even those running the most recent versions of operating system. Technically, the inclusion of an unused parameter known as “_Marshaled_pUnk” is a backdoor because it is the work of an Apple developer who added it to to the QuickTime code base and then, most likely, forgot to remove it when it was no longer needed. It sat largely undetected for at least 9 years until a researcher of Spain-based security firm Wintercore discovered it and realized it could be exploited to take full control of machines running Windows 7, Microsoft’s most secure operating system to date. “The bug is pretty bizarre,” the CSO of Rapid7 and chief architect of the Metasploit project told The Register August 30. “It’s not a standard vulnerability in the sense that a feature was implemented poorly. It was more kind of a leftover development piece that was left in production. It’s probably an oversight.” The presence of _Marshaled_pUnk creates the equivalent of an object pointer that an attacker can use to funnel malicious code into computer memory. Source:

57. August 30, IDG News Service – (International) Cisco patches bug that crashed 1 percent of Internet. Cisco has fixed a bug in its Internetwork Operating System (IOS) router software that contributed to a brief Internet blackout last week, thought to have affected about 1 percent of the Internet. The bug was discovered August 27 when the RIPE NCC (Reseaux IP Europeens Network Coordination Centre) and researchers at Duke University started distributing experimental BGP (Border Gateway Protocol) data via RIPE NCC’s systems. A large number of routers became unreachable within minutes and the experiment was quickly stopped. The Border Gateway Protocol is used by routers to find the best ways to send traffic to each other on the Internet. Because it is very easy for bad BGP data to spread quickly, security experts have warned it could someday be misused to seriously disrupt the Internet. It turned out that routers that were running Cisco’s IOS XR operating system took the experimental data — which was much larger than typical BGP routing information — corrupted it, and then passed that corrupted information on to other routers. Many of the routers simply closed connections with the Cisco routers that sent the buggy data, causing part of the Internet to become inaccessible. In a security advisory released just hours after the incident, Cisco confirmed the August 27 incident disclosed the bug. The experiment made it difficult to reach some networks in more than 60 countries, according to Renesys’ General Manager, who blogged about the issue August 27. More than 3,500 “prefixes,” or blocks of Internet Protocol address space, were affected, he said. There are just over 333,000 such prefixes on the Internet, according to the Web site Source:

58. August 30, The H Security – (International) Microsoft tool for DLL vulnerability interferes with some applications. Microsoft’s tool to protect against the DLL hijacking vulnerability results in some programs no longer working properly. Users who want to use the tool to prevent attackers from passing infected libraries to trusted applications should set the new registry key DWORD value to 0xFFFFFFFF (“ffffffff”). This removes the working directory, which could be located on a network share, from Windows’ list of locations to search for DLLs. But this causes problems for programs that use this search behavior, but are not vulnerable to DLL hijacking. The most prominent example is the current stable version of Google Chrome. If the registry key is set, the browser fails to find the avutil-50.dll file when the user opens the program or a new tab. If a Web page contains an HTML5 video element, the entire page fails to display. On one Windows 7 test system, open source graphics program GIMP was also no longer able to find its plug-ins. According to user reports, games service Steam and the Java plugin for Mozilla also encounter difficulties. Such cases can be resolved by either individually excluding problem applications from using the modified search behavior or watering down security measures for the problem programs. To do so, a new DWORD registry key called CWDIllegalInDllSearch should be created in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Program Name.exe\ and set to “0”. This causes the application to use Windows’ standard list of search locations, but makes it once more vulnerable to DLL hijacking. Source:

59. August 30, The New New Internet – (International) Hackers deface Philippine government sites. The Philippine government has asked all of its federal agencies to tighten security of their official Web sites following last week’s hacking of the Philippine Information Agency (PIA) Web site, Xinhua reported. A government official said in a press statement the executive branch is adopting “best practices” to make government Web sites less vulnerable to intrusion. PIA is the official information arm of the Philippine government. The information agency Web site was down for several hours after it was hacked by a user named “7z1.” The defaced Web page displayed a Chinese flag on a black background. The cyber attack was made almost a week after the Manila hostage tragedy in which eight Hong Kong tourists were killed. It is, however, unknown if the hack attack was related to the widespread public anger that followed the hostage situation. Source:

60. August 30, – (International) Quantum system hacked in ‘blinding’ attack. Researchers at the Norwegian University of Science and Technology (NTNU) have discovered a way to hack quantum network traffic using currently available technology. Quantum signals are touted as perfectly secure, since the act of observing the signal changes it and alerts the receiver to the interception. However, the researchers discovered a way to use a 1 milliwatt laser to fool the receiver into believing the message has not been tampered with, when in fact it can be harvested using traditional techniques. “Our hack gave 100 percent knowledge of the key, with zero disturbance to the system,” a researcher from NTNU told Nature. “We have exploited a purely technological loophole that turns a quantum cryptographic system into a classical system, without anyone noticing.” “Blinding” the receiving station allowed the team to harvest the data they needed. The attack worked on two commercially available quantum cryptography systems from Swiss firm ID Quantique, and a MagiQ Technologies system built in the United States. The team contacted both companies before publishing its research, and patches have now been issued. Source:

Communications Sector

61. August 31, Agence France-Presse – (International) Google, Skype under fire in India security crackdown. BlackBerry may have won a reprieve but Google and Skype were squarely in the firing line August 31 as India’s security agencies widened their crackdown on telecom firms. India’s 1.1 million BlackBerry users heaved a sigh of relief after the government August 30 gave the smartphone’s manufacturer a 2-month window to provide a permanent solution to avert a ban on its corporate message services. Security forces in India, battling insurgencies ranging from Kashmir in the northwest to the far-flung northeast, are insisting that telecom groups give them the capability to monitor their data. Skype, the Internet phone service, and Google, which uses powerful encryption technology for its Gmail e-mail service, are expected to be among the next wave of firms to come under New Delhi’s scanner. “If Google or Skype have a component that is not accessible, that will not be possible,” a spokesman for the home ministry said. “The message is the same for everybody.” Home ministry sources have said in the past that Skype, which uses Voice-Over-Internet-Protocol (VOIP) technology that sends calls over the Internet, poses a difficulty for domestic intelligence services. Source:

62. August 31, Computerworld – (National) Hurricane Earl may test IT teleworkers. If Hurricane Earl, now a major hurricane, hits the East Coast of the United States later the week of August 30, the top concern for IT executives may not be data center outages but loss of Internet access for telecommuting workers. Forecasters said the storm could possibly hit land somewhere between the Carolinas and New England sometime before the start of Labor Day weekend. Critical data centers, with backup generators, facilities and fuel supplies, are now built to continue operating during storms. The same cannot be said for the computing setups that telecommuters maintain in their homes, and they may be put to the test this year. Last year, a lack of hurricanes made it a good one for telecommuters. There were only three hurricanes in U.S. waters last year, and none of them brought hurricane force winds over land in this country, according to Eaton Corp., a power management company that has been tracking power outages nationally since 2008. Source:

63. August 30, Associated Press – (International) New cables tie West Africa closer to Internet. For a decade, West Africa’s main connection to the Internet has been a single fiber-optic cable in the Atlantic Ocean, a tenuous and expensive link for one of the poorest areas of the planet. But this summer, a second cable snaked along the West African coastline, ending at Nigeria’s commercial capital, Lagos. It has more than five times the capacity of the old one and is set to bring competition to a market where wholesale Internet access costs nearly 500 times as much as it does in the United States. It is the first of a new wave of investment that the U.N.’s International Telecommunications Union said will vastly raise the bandwidth available in West Africa by mid-2012. Source: